High-fidelity model-driven deception platform for cyber-physical systems

ABSTRACT

Methods are described for protecting a cyber-physical system against a potential attacker of the system. The methods include a method of generating a plurality of examples for a training data set and training a system model using the training data set to generate a decoy configured to generate a synthetic output that mimics historical outputs generated by the system for a given historical system context. Also described is a method including receiving a system context of a cyber-physical system; receiving an inquiry into the system by a potential attacker; applying a system model to the system context and the inquiry; obtaining from the system model a synthetic output that mimics how a component of the system would respond to the inquiry given the system context; and providing the synthetic output to the potential attacker.

PRIORITY/CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of application Ser. No. 16/389,758,filed Apr. 19, 2019, which claimed the benefit of U.S. ProvisionalApplication No. 62/664,702, filed Apr. 30, 2018, the disclosures ofwhich are herein incorporated by reference.

STATEMENT AS TO RIGHTS TO DISCLOSURES MADE UNDER FEDERALLY-SPONSOREDRESEARCH AND DEVELOPMENT

This disclosure was made with Government support under ContractDE-AC0576RL01830 awarded by the U.S. Department of Energy. TheGovernment has certain rights in the invention.

BACKGROUND

In the field of cyber security, deception defense is a techniquesometimes used to slow down an attacker. Deception defense involvesenticing an attacker away from an actual target, to give securityadministrators time to respond. In traditional computing systems (e.g.,Information Technology (IT) systems, banking systems, mobile computingsystems, and other non-control systems), an attacker may be deceived bymock protocol communications and data in the system. For instance, somedeception systems work by responding to an attacker's protocolcommunications with pre-populated data that is not tied to a specificcondition or state of the real system. Traditional deception techniqueslike these may be unconvincing to attackers of cyber-physical systemsthat control actual, physical processes.

SUMMARY

The present disclosure may enable cyber-physical systems to defendagainst cyber-attacks using high-fidelity deception techniques. As usedherein, the term “cyber-physical system” refers to any network-connectedsystem that supports a physical process occurring at least partiallyoutside a computing environment. Said a different way, a cyber-physicalsystem may perform any real-world process, as opposed to a computingprocess, using integrated components that sense and monitor the process,or manipulate and control the process, to achieve various goals for thereal-world process, such as optimization, safety, efficiency and thelike. Unlike “cyber-systems” or information technology (IT) systems thatexchange data driven by computer processes (including virtual processes)occurring in a computer or computer network, the data exchanged within acyber-physical system is driven by physical processes involving physicalobjects or physical environments that exist outside a computingenvironment (i.e., in the real-world).

Responding with pre-populated data that is not tied to a specificcondition or state of the real system may work to distract acyber-attacker in a virtual world, however this type of deception may beunconvincing to an attacker of a cyber-physical system that expects tosee data changing based on physical processes happening in thereal-world. A cyber-physical system may use the described deceptiontechniques to deploy realistic decoys that generate data to mimic whatthe attacker expects to see if the data was generated by an actualparticipant, integrated with the cyber-physical system. The decoysexecute according to one or more models (e.g., machine-learned models,physics-based models) trained or programmed based on historical,operational data generated by the cyber-physical system (or similarcyber-physical system) that the decoys are deployed to protect. Themodel mimics data generated by other components of the cyber-physicalsystem, under various states and operating conditions of thecyber-physical system. As the state or operating conditions of thecyber-physical system change over time, the model causes the decoys toproduce realistic data that is tailored to a current state or currentoperating condition of the cyber-physical system. Providing thissynthetic output to the attacker may entice the attacker by appearing toexpose a vulnerability in the cyber-physical system. The attacker mightbe deceived by the synthetic output from a decoy into thinking they arelearning what part of the cyber-physical system senses, controls, ordoes (e.g., to validate an attack on a different part of thecyber-physical system). The one or more models configure the decoys tosimulate behavior of the real cyber-physical system thereby providinghighly-realistic deceptive responses to attackers.

A security administrator may receive an alert when an attacker iscommunicating with, and being distracted by, a decoy. While the attackeris distracted, the security administrator can take active securitymeasures in response to the alert to defend against the attack.

In one embodiment, a method for protecting a cyber-physical systemagainst a potential attacker, the method comprising: collectinghistorical information about the cyber-physical system; training, basedon the historical information, a machine-learned model to predict futureconditions of at least a portion of the cyber-physical system; detectingan input signal received by a decoy component of the cyber-physicalsystem, wherein the decoy component is configured to simulate, based onthe future conditions predicted by the machine-learned model, afunctionality of the at least a portion of the cyber-physical system;responsive to detecting the input signal: outputting an alert to thecyber-physical system indicative of the potential attacker; and enablingthe decoy component to respond to the input signal by simulating thefunctionality of the at least a portion of the cyber-physical system.

In a different embodiment, a system includes at least one processor; anda memory comprising instructions that, when executed, cause the at leastone processor to: maintain a set of variables related to a physicalprocess being emulated by a decoy of a cyber-physical system;dynamically update at least one variable from the set of variables basedon future conditions of the cyber-physical system that are predicted bya machine-learned model that is trained from historical informationcollected about the cyber-physical system; and output networkcommunications indicative of the at least one variable that wasdynamically updated.

In yet another embodiment, a system for protecting a cyber-physicalsystem against a potential attacker of the cyber-physical system,comprising at least one processor configured to: collect historicalinformation about the cyber-physical system; train, based on thehistorical information, a machine-learned model to predict futureconditions of at least a portion of the cyber-physical system; andresponsive to detecting an input signal to the cyber-physical system:output an alert to the cyber-physical system indicative of a potentialattacker; and respond to the input signal by simulating, based on thefuture conditions predicted by the machine-learned model, functionalityand communications of the at least a portion of the cyber-physicalsystem.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a conceptual diagram illustrating an example cyber-physicalsystem including one or more decoys trained to distract an attacker, inaccordance with the techniques of this disclosure.

FIG. 2 is a conceptual diagram illustrating an example model trained,based on historical data associated with a cyber-physical system, todeploy one or more decoys for distracting an attacker, in accordancewith the techniques of this disclosure.

FIG. 3 is a conceptual diagram illustrating an example decoy fordeceiving an attacker of a cyber-physical system, in accordance with thetechniques of this disclosure.

FIG. 4 is a flow-chart illustrating example operations performed inresponse to a cyber-attack by a cyber-physical system and an integrateddecoy, in accordance with the techniques of this disclosure.

DETAILED DESCRIPTION

The following description and the referenced drawings provideillustrative examples of that which the inventors regard as theirinvention. As such, the embodiments discussed herein are merelyexemplary in nature and are not intended to limit the scope of theinvention, or its protection, in any manner. Rather, the description andillustration of these embodiments serve to enable a person of ordinaryskill in the relevant art to practice the invention.

The use of “cyber-physical system” means any network-connected systemthat supports a physical process occurring at least partially outside acomputing environment. unless the context clearly dictates otherwise.The use of “cyber-system” and “information technology system” means “anynetwork-connected system that supports computer processes occurringinside a computing environment” unless the context clearly dictatesotherwise. The use of “e.g.,” “etc.,” “for instance,” “in example,” “forexample,” and “or” and grammatically related terms indicatesnon-exclusive alternatives without limitation, unless the contextclearly dictates otherwise. The use of “including” and grammaticallyrelated terms means “including, but not limited to,” unless the contextclearly dictates otherwise. The use of the articles “a,” “an” and “the”are meant to be interpreted as referring to the singular as well as theplural, unless the context clearly dictates otherwise. Thus, forexample, reference to “a decoy” includes two or more such decoys, andthe like. The use of “optionally,” “alternatively.” and grammaticallyrelated terms means that the subsequently described element, event orcircumstance may or may not be present/occur, and that the descriptionincludes instances where said element, event or circumstance occurs andinstances where it does not. Words of approximation (e.g.,“substantially,” “generally”), as used in context of the specificationand figures, are intended to take on their ordinary and customarymeanings which denote approximation, unless the context clearly dictatesotherwise. As used herein, a phrase referring to “at least one of” alist of items refers to any combination of those items, including singlemembers. As an example, “at least one of: a, b, or c” is intended tocover a, b, c, a-b, a-c, b-c, and a-b-c, as well as any combination withmultiples of the same element (e.g., a-a, a-a-a, a-a-b, a-a-c, a-b-b,a-c-c, b-b, b-b-b, b-b-c, c-c, and c-c-c or any other ordering of a, b,and c).

FIG. 1 is conceptual diagram illustrating an example cyber-physicalsystem including one or more decoys trained to distract an attacker, inaccordance with the techniques of this disclosure. FIG. 1 includescyber-physical system 100 communicatively coupled to system model 110and network 130. From network 130, an attacker, such as attacker 114,may attempt to gain access to or control over cyber-physical system 100.

Network 130 represents a collection of computers and other devicescommunicatively coupled to share information. Network 130 may be coupledto, or form part of, the internet or some other public or privatenetwork. Network 130 can include any combination of one or more routers,switches, servers, mainframes, wired and wireless communication mediums,and other devices that facilitate exchange of information between two ormore entities communicating across network 130. In the example of FIG. 1, cyber-physical system 100 is configured to communicate with devicesconnected to network 130. For example, cyber-physical system 100 mayinclude an Ethernet interface for transmitting and receiving Ethernettraffic from other devices and systems that communicate via network 130.

Cyber-physical system 100 is a network-connected system that supports aphysical process occurring in the real-world. Cyber-physical system 100processes and generates data in response to physical processes occurringwith physical objects or within physical environments that exist outsidea computing environment, in the real-world. For instance, cyber-physicalsystem 100 may be a heating, ventilation, and air-conditioning (HVAC)system that controls temperature, humidity, air flow, or other conditionof a physical environment associated with a building or vehicle.Cyber-physical system 100 may be a lighting system that controls theluminosity of an office space, a home, or occupant area of a vehicle.Cyber-physical system 100 may be a power generation system that outputselectricity to a power-grid or a manufacturing or fabrication systemthat transforms a physical material into a physical product.Cyber-physical system 100 may be part of a propulsion system generatingmechanical power that propels a manned or unmanned vehicle or machine.

Cyber-physical system 100 includes one or more devices 102A through 102N(collectively “devices 102”), one or more controllers 104A through 104N(collectively “controllers 104”), user interface (UI)/user experience(UX) component 106, and data 108. Unlike cyber-systems or IT systemsthat exchange data to facilitate purely virtual processes or computerprocesses occurring in a computing environment, the data handled bycyber-physical system 100 is driven by operations performed by devices102, controllers 104, and UI/UX component 106, to support or controlphysical processes occurring outside a computing environment, in thereal-world.

For example, cyber-physical system 100 may include a furnace or a boilerof a HVAC system. Device 102A may be a blower or a valve that controlsheating capacity distribution through part of cyber-physical system 100.Controller 104A may communicate with and control device 102A whenevercyber-physical system 100 requires a change in heating capacity.

Controllers 104 may include one or more hardware processors orprocessing units. Controllers 104 may include non-transitory memories orother computer-readable storage medium configured to store instructionsor other data that is accessed and executed by hardware processors orprocessing units. Controllers 104 may receive inputs and generateoutputs in response. Controllers 104 may include various interfaces(e.g., network interfaces or “NICs”) for communicating with andcontrolling one or more components of cyber-physical system 100. A userof cyber-physical system 100, e.g., a technician, may program controller104A via UI/UX component 106. In some cases, controller 104A may beupdated remotely, e.g., via a connection to a remote devicecommunicatively coupled to cyber-physical system 100 via network 130.

In some examples, UI/UX component 106 includes one or more displays,speakers, microphones, user input components, and output components thattogether provide a user interface associated with cyber-physical system100. From access to UI/UX component 106, a user may monitor and alter astate of devices 102, controllers 104, and data 108.

During operation, cyber-physical system 100 may generate data 108. Data108 may be stored by cyber-physical system 100 in persistent storage ortemporary storage. For example, a configuration file referenced bycontroller 104A when controlling devices 102 may be stored in persistentstorage of cyber-physical system 100 so that the configuration file isnot corrupted or lost when cyber-physical system 100 loses power. Othertypes of data 108, such as sensor data or state information, may bestored in temporary storage of cyber-physical system 100 if, forexample, cyber-physical system 100 need not retain data 108 betweenpower cycles.

By being accessible via network 130, cyber-physical system 100 may bevulnerable to cyber-attacks. In other words, devices 102, controllers104, UI/UX component 106, and data 108 may be susceptible to maliciousintrusions from devices or other systems on network 130. Responding withpre-populated protocol communications may work to distract acyber-attacker in a virtual world, however this type of deception may beunconvincing to an attacker of cyber-physical system 100 which performsprocesses that cause change in the real or physical world.

For example, when attacking cyber-physical system 100, attacker 114 mayestablish a communication session with cyber-physical system 100 vianetwork 130. Attacker 114 may snoop on data 108 or communicationsbetween components of cyber-physical system 100 and expect to seechanges to data 108 based on physical processes happening in thereal-world. If cyber-physical system 100 responds to suspected attackerswith the same, pre-populated protocol communications or mock dataanytime cyber-physical system 100 is under attack, attacker 114 mayrecognize the canned communications as an attempted deception and takeovert actions to avoid the deception or attack a different part ofcyber-physical system 100. In accordance with the techniques of thisdisclosure, cyber-physical system 100 may defend against cyber-attacksusing high-fidelity deception techniques.

Cyber-physical system 100 includes one or more decoys 112 (e.g., decoydevice 112A, decoy controller 112B, decoy data 112C) that simulateexisting data sources and data sinks of cyber-physical system 100 so ifan attacker 114 interfaces with decoys 112, decoys 112 communicate withthe attacker 114 just like other components of cyber-physical system100, and as the attacker expects. Decoy device 112A mimics thefunctionality of one or more devices 102. Decoy controller 112Bsimulates the operations of one or more controllers 104. Decoy data 112Cstores a dynamic, replica of the information stored as data 108 to mimicthe information otherwise stored as data 108.

Decoys 112 may generate portions of decoy data 112C for purposes ofdeceiving an attacker 114, without generating actual data 108 orotherwise interfering with any actual processes performed by othercomponents of cyber-physical system 100. Other components ofcyber-physical system 100 may use decoy data 112C to support an ongoingdeception. Cyber-physical system 100 can also ignore or discard decoydata 112C as a way to free up computing resources or further preventinterference with any actual processes performed by other components ofcyber-physical system 100.

Decoy data 112C may include “breadcrumbs” meant to entice an attacker114. For instance, decoy data 112C may be a data structure (e.g.,look-up table), application programming interface (API), or other formof data that is visible to attacker 114. Cyber-physical system 100 mayconfigure decoy data 112C to alert a security administrator anytime thebreadcrumbs (e.g., the data structure, API, or other form of dataassociated with decoy data 112C) are “picked up” or accessed.

Some components of cyber-physical system 100, such as devices 102 andcontrollers 104, are configured to communicate with decoys 112 to conveya more realistic deception to an attacker, such as attacker 114. Alsoreferred to as “HoneyShill” components, a cyber-physical system 100 mayimplement a deception by configuring other components of thecyber-physical system 100 to regularly participate in interactions withdecoys 112. Implementing direct communication between a decoy 112 andanother component of the cyber-physical system 100 may make the decoy112 appear genuine so an observing attacker 114 may be more likely tobelieve the deception.

Cyber-physical system 100 may configure actual components ofcyber-physical system 100 (e.g., devices 102, controllers 104, UI/UXcomponent 106, data 108) to act as HoneyShills. Cyber-physical system100 may configure decoy components of cyber-physical system 100 (i.e.,decoys 112) to act as HoneyShills. Cyber-physical system 100 mayconfigure a combination of actual and decoy components to operate asHoneyShills.

For example, a security administrator may program controller 104N torequest data (e.g., temperature, pressure, voltage) and send controlsignals or change of state information (e.g., valve state, motorthrottle, dead band settings) to decoy device 112A. The securityadministrator may provide input to UI/UX component 106 to execute ascript that automatically configures controller 104N to communicate withdecoy device 112A similarly to how controller 104N may communicate withdevice 102N. The security administrator may interface withcyber-physical system 100 via network 130 to remotely configurecontroller 104N to communicate with decoy device 112A. In response tothe control signals or change of state information received fromcontroller 104N, decoy device 112A may output a portion of decoy data112C to mimic what one or more of devices 102 would generate as data108, if responding to similar control signals from controller 104N.

Similarly, decoy controller 112B may be configured to send controlsignals or change of state information to other decoys 112, includingdecoy device 112A. In response to the control signals or change of stateinformation from decoy controller 112B, decoy device 112A may outputdecoy data 112C for deceiving an attacker 114. In this way, bycommunicating with other decoy or actual components of cyber-physicalsystem 100, decoy controller 112B and decoy device 112A appear moregenuine.

By having controllers or other parts of a cyber-physical system act asHoneyShills that participate in a deception, an attacker 114 may be moreconvinced the deception is real and therefore stay engaged with decoys112 for a larger duration of time than if the controllers 104 or otherparts of the cyber-physical system 100 did not participate in thedeception. Keeping an attacker 114 engaged with a deceptive part of thecyber-physical system 100 may provide other defenses sufficient time toinitialize and fend off the attacker 114.

In some examples, a security administrator may provide input to systemmodel 110 or cyber-physical system 100 to perform configurationmanagement for a deception. For example, a security administrator canengage with an interface of system model 110 or system 100 to configuredecoys 112 to execute logic and gather information between the decoys112 about interactions and alerts.

UI/UX component 106 may be configured to participate in a deception. Forexample, attacker 114 may interface with UI/UX component 106 to developan understanding of cyber-physical system 100. UI/UX component 106 maybe configured as a HoneyShill to lure attacker 114 towards decoys 112and away from other components of cyber-physical system 100. Forexample, UI/UX component 106 may present an indication of decoy device112A more prominently in a user interface (e.g., with a particularformat, in a particular position, in a particular order) so an attacker114 is more likely to choose to interrogate decoy device 112A ratherthan interfere with a different part of cyber-physical system 100.

UI/UX component 106 can in some examples alert a security administratoror other part of cyber-physical system 100 when UI/UX component 106detects inputs at parts of UI/UX component 106 that are meant to lure anattacker 114. For example, in response to detecting a selection of theindication of decoy device 112A from the user interface of UI/UXcomponent 106, UI/UX component 106 may send a message to the securityadministrator of cyber-physical system 100 that alerts the securityadministrator of a possible attack. It should be understood that asystem administrator or a security administrator may be a human operatoror a machine. For example, UI/UX component 106 may automate variousadministration tasks, including taking actions to thwart an attack inresponse to alerts.

In some cases, UI/UX component 106 may require a deeper level ofinteraction before generating an alert about a possible attacker. Forexample, to minimize false positives, and before UI/UX component 106sends a message to the security administrator of cyber-physical system100 to alert the security administrator of a possible attack, UI/UXcomponent 106 may determine, from characteristics of the possibleattack, whether the possible attack is genuine. For example, UI/UXcomponent 106 may be programmed to execute rules or logic thatdetermine, based on a current context of cyber-physical system 100(e.g., the physical characteristics and cyber-characteristics ofcyber-physical system 100) whether detected interactions at parts ofUI/UX component 106 that are meant to lure an attacker are originatingfrom an actual attacker 114. UI/UX component 106 may be programmed toexecute rules or logic that determine, based on characteristics of theinteraction with UI/UX component 106 (e.g., input type, input duration,input speed, input location) whether an interaction at parts of UI/UXcomponent 106 that are meant to lure an attacker are originating from anactual attacker 114.

Cyber-physical system 100 relies on system model 110 to generate decoys112 with sufficient realism to deceive a sophisticated attacker, such asattacker 114. For example, system model 110 may execute on one or moreprocessors of cyber-physical system 100 (e.g., as a function ofcontrollers 104, devices 102, or one or more remote processorsaccessible to cyber-physical system 100. In some examples,cyber-physical system 100 includes system model 110. In other cases,cyber-physical system 100 is separate from system model 110.

System model 110 can be, generally, any type of machine-learned orphysics-based model, trained or programmed on historical data associatedwith cyber-physical system 100, to produce an interrogatory responsethat mimics how an actual component of cyber-physical system 100 wouldrespond to an interrogation from an attacker, given a particularcontext. Machine-learned examples of system model 110 include neuralnetworks, deep-learning neural networks, Bayesian networks, and anyother type of machine-learned model. As a machine-learned model, systemmodel 110 is configured to generate, from training data (e.g.,historical input and output data), logic derived from patterns or rulesidentified in the training data, that predicts one or more futureoutputs, for a particular set of inputs, without having ever beenexplicitly programmed to predict the future outputs for the particularset of inputs. As a physics-based model, system model 110 is programmedbased on historical data to execute logic that mimic realistic output,for a given set of inputs.

System model 110 may undergo training. System model 110 may receive astraining data, example inputs to cyber-physical system 100, and exampleoutputs and other information generated by cyber-physical system 100,over time. The training data input to system model 110 may includephysical-state information or cyber-state information associated withcyber-physical system 100, for various contexts. The training data mayinclude examples of data 108 at different times and during differentoperating conditions of cyber-physical system 100. The training data mayinclude example “network traffic” or information exchanged betweendevices 102, controllers 104, and UI/UX component 106, during differentcontexts and for various operating conditions.

System model 110 may generate decoys 112 to follow rules or logic thatproduce an expected output given a particular set of inputs. Systemmodel 110 may learn a specific type of data 108 that is generated bydevice 102N, in response to a particular control signal received fromcontroller 104A, given a particular time or given a particular state ofother components of cyber-physical system 100. System model 110 mayconfigure decoys 112 to execute specific logic for creating decoy data112C to mimic an expected output from the other components ofcyber-physical system 100, for the given context.

By relying on system model 110, decoys 112 are trained on historical,operational data generated by cyber-physical system 100 (or a similarcyber-physical system that decoys 112 are deployed to protect). Systemmodel 110 learns how to cause decoys 112 to mimic data generationperformed by other components of cyber-physical system 100, under avariety of states and operating conditions. System model 110 causesdecoys 112 to produce realistic data that is tailored to a current stateor current operating condition of cyber-physical system 100. Byproviding seemingly-realistic, synthetic data in response to anattacker, such as attacker 114, decoys 112 appear to exposevulnerabilities in cyber-physical system 100 without actually conveyingany real insights into the workings of cyber-physical system 100.

System model 110 may cause decoys 112 to output decoy data 112C thatappears similar to data 108 that devices 102 and controllers 104 mightoutput if actually undergoing a cyber-attack. An attacker 114,therefore, might be deceived from data generated by decoys 112 intothinking they are learning what part of cyber-physical system 100senses, controls, or does, particularly if a different part ofcyber-physical system 100 is under cyber-attack. For example, systemmodel 110 may cause decoy device 112A to mimic what device 102N might doif controller 104N was under cyber-attack. System model 110 mayconfigure decoys 112 to simulate behavior of cyber-physical system 100thereby providing highly-realistic deceptive responses to attackers.

In some examples, a security administrator, via UI/UX component 106, mayreceive an alert when an attacker 114 is communicating with, and beingdistracted by, one of decoys 112. While the attacker 114 is deceived,the security administrator can take active security measures in responseto the alert to defend against the attack.

For example, being that decoy device 112A is not a real device thatsenses, monitors, modifies, or controls part of a process performed bycyber-physical system 100, a system administrator may configure UI/UXcomponent 106 to signal when any entity within cyber-physical system 100attempts to interact with (e.g., write data to or read data from) decoydevice 112A. In other words, because decoy device 112A may not be reliedon by any other components of cyber-physical system 100 to furtheroperations of cyber-physical system 100, an attempt to communicate withdevice 112A may be a signal of an attack. While an attacker tries tointeract with device 112A, a system administrator may be alerted and cantake action to identify the attacker 114 or isolate the rest ofcyber-physical system 100, from the cyber-attack.

In this way, the described techniques may enable a cyber-physicalsystem, such as cyber-physical system 100, to successfully deceive anattacker 114 just long enough for a security administrator of thecyber-physical system 100, or other counter-measure, to take action. Inaddition, by configuring decoys 112 to generate alerts immediately uponreceipt of unexpected communications (e.g., from an attacker 114), thereis less uncertainty about whether an attack is actually occurring. Thealert generated by the decoys 112 is triggered by a strong signal froman attacker 114. As such, the decoys 112 may provide a better detectionprocess that results in zero or nearly zero false positive detections.

FIG. 2 is a conceptual diagram illustrating an example model trained,based on historical data associated with a cyber-physical system, todeploy one or more decoys for distracting an attacker, in accordancewith the techniques of this disclosure. FIG. 2 includes cyber-physicalsystem 200, system model 210, decoy 212, and attacker 214. System model210 includes training component 220, device rules 222, controller rules224, data management rules 226, and general system rules 228. FIG. 2 isdescribed in the context of FIG. 1 . For example, cyber-physical system200 is an example of cyber-physical system 100, system model 210 is amore detailed example of system model 110, decoy 212 is an example ofone of decoys 112, and attacker 214 is an example of attacker 114, ofFIG. 1 .

System model 210 includes one or more machine-learned models (made up ofdevice rules 222, controller rules 224, and data management rules 226)trained to generate “synthetic responses” to an attacker's inquiriesinto cyber-physical system 200. The synthetic responses mimic historicalresponses generated by cyber-physical system 200 in response to actualhistorical inquiries received by cyber-physical system 200. System model210 tailors the synthetic responses for a current system context toensure the synthetic responses mimic actual responses generated bycyber-physical system 200 given a similar, historical context.

A synthetic response may appear genuine, however, because the syntheticresponse is derived from one or more rules 222, 224, 226, or 228 ofsystem model 210, and not generated by an actual working component ofcyber-physical system 200, the synthetic response does not provide anyactual insight into the workings or operating conditions ofcyber-physical system 200. As such, the synthetic responses generated bysystem model 210 enable decoys, such as decoy 212, to provide arealistic deception without giving away any useful working knowledge ofcyber-physical system 200.

System model 210 includes training component 220 for generating rulesand other logic that system model 210 uses to generate syntheticresponses in response to a cyber-attack. To replicate the behavior ofcyber-physical system 200, system model 210 may rely on one or morerecurrent neural networks (RNNs). The RNN may analyze historicalinformation associated with cyber-physical system 200 to frame aforecasting problem to be solved by the RNN. For example, given a set ofhistorical temperature readings and subsequent controller decisions madein response to the temperature readings, system model 210 may execute anRNN to forecast future temperature readings and controller decisions.

RNNs are a subset of neural network models. Neural network models arerecognized for using a biologically inspired programming paradigm thatenables a computer to learn from observational data. A typical neuralnetwork model consists of a collection of nodes, which loosely modelneurons in a human brain. Such systems “learn” to perform tasks byconsidering examples, generally without being programmed with anytask-specific rules.

RNNs draw conclusions about information based on the temporal structureof the input data. The network considers not only current inputs butalso the state of the RNN that arose from considering previous inputs ina sequence of inputs. That is to say, an RNN has memory includingmultiple layers where each layer corresponds to a particular element inan input sequence. Each layer receives the RNN's long-running memory ofthe input sequence so far, as well as the output generated by the RNNfrom analyzing previous elements in the sequence.

In some cases, decoy generation and cyber-physical system simulation maybenefit from using long-short-term memory (LSTM) type RNNs. LSTM typeRNNs determine an output for a particular input, given past outputsderived from previous inputs, as well as based on other broad contextualfeatures derived from training data. An LSTM type RNN may generate adecoy that relies on information about past outputs derived fromprevious inputs (i.e., long-term memory) as well as information providedthe most-recent outputs derived from the most-recent inputs to the LSTM(i.e., short-term memory).

Device rules 222, controller rules 224, data management rules 226, andgeneral system rules 228 can include rules and other logic learned bytraining component 220 from analyzing historical information associatedwith cyber-physical system 200. The historical information can includehistorical inquiries received by cyber-physical system 200. For example,historical inquiries may include example inputs received from anoperator or other controller communicating directly, or remotely, withcomponents of cyber-physical system 200. Historical inquiries mayinclude machine understandable messages (e.g., system calls, networktraffic) originating from or received by devices and controllers thatmake up cyber-physical system 200.

Device rules 222, controller rules 224, data management rules 226, andgeneral system rules 228 can include rules and other logic generatedmanually by an administrator of cyber-physical system 200. For example,when creating a “new” decoy as part of cyber-physical system 200, thenew decoy can represent a component of cyber-physical system 200 thatdoes not currently exist, and new logic can be programmed into the decoyon how to react to data output from system model 210. For example,cyber-physical system 200 may be a boiler system. The new decoy maysimulate a new pressure relief valve that does not actually exist in theboiler system in the physical world. The decoy can be manuallyprogrammed with logic that calculates a pressure from values observedovertime from the real boiler system. The decoy may execute the logic tocontrol variables in the system model 210 to cause effect on otherdecoys in the system model 210. For instance, if a pressure variable istoo high, the decoy valve may open to simulate a reduction in atemperature variable detected by a downstream decoy sensor.

Training component 220 may observe historical responses to thehistorical inquiries to generate rules and other logic that predict howcomponents of cyber-physical system 200 are likely to respond to futureinputs. For example, training component 220 may identify patternsbetween content associated with some historical inquiries andcorresponding responses. Training component 220 may generate a rule orother logic so that system model 210 generates a synthetic response toan inquiry that mimics previous responses made by cyber-physical system200, to similar inquiries.

In addition to training system model 210 based on historical inquiriesand historical responses associated with cyber-physical system 200,training component 220 may improve the rules and other logic of systemmodel 210 using other information. Training component 220 may enablesystem model 210 to generate synthetic responses that are dynamicallytailored according to current operating conditions of cyber-physicalsystem 200. By adapting the synthetic responses to a current context,system model 210 can generate synthetic responses that are convincing toan attacker and are therefore likely to give a system administrator timeto defend against an attack. For example, system model 210 may generatephysics-based rules at general system rules 228 that define changes to aphysical-working environment where part of cyber-physical system 200resides depending on other conditions of cyber-physical system 200.System model 210 may generate other physics-based rules at generalsystem rules 228 that define changes to attributes, characteristics,variables, or state information about conditions of physical processesperformed by cyber-physical system 200. For instance, system model 210may generate a rule for updating a temperature at part of cyber-physicalsystem 200 given changes to outside temperature, changes in pressure ata valve of a different part of cyber-physical system 200 or using someother physics-based criteria. System model 210 may learn from historicalsystem conditions some of the dependencies of cyber-physical system 200and generate general system rules 228 that define the dependencies.

For instance, device 102A may be a boiler of cyber-physical system 200.When device 102A switches on and generates heating capacity, a differentpart of cyber-physical system 200 (e.g., device 102N) that receives theheating capacity from the boiler may typically increase in temperature,at a particular rate. To implement a convincing deception, system model210 may configure decoy 212 to indicate a temperature that increases atthe particular rate, when configured as a recipient of the heatingcapacity from device 102A. This way, if an attacker 214 observes thatthe boiler is producing heating capacity, decoy 212 will behave in a waythat deceives attacker 214 into thinking decoy 212 is an actual,integrated part of cyber-physical system 200.

System model 210 may generate rules and other logic that decoy 212executes to deceive an attacker 214. Decoy 212 may be any type of decoy,including a device or sensor decoy that primarily monitorscyber-physical system 200. As a monitoring device, decoy 212 isconfigured to provide false assurance or validation of an ongoing attackon part of cyber-physical system 200. Decoy 212 may execute device rules222 to deceive an attacker 214.

For example, decoy 212 may mimic a typical response from a sensor ofcyber-physical system 200 when a controller of cyber-physical system 200receives a particular command or particular inquiry. An attacker, suchas attacker 214, may rely on synthetic outputs generated by decoy 212 toverify an attack on cyber-physical system 200 is working. The attacker214 may monitor decoy 212 down-stream from the controller, to verify thecontroller under attack is commanding the desired condition or change.

By distracting attacker 214 with synthetic outputs, a securityadministrator may have time to take active measures to defend againstattacker 214. For example, decoy 212 may automatically trigger an alertrecognized by cyber-physical system 200, any time decoy 212 receives aninquiry from an external entity. In other words, because decoy 212 isnot actually integrated into cyber-physical system 200, cyber-physicalsystem 200 does not rely on decoy 212 to perform any function beyonddeception. Other components of cyber-physical system 200 therefore haveno reason to communicate with decoy 212 other than to provide up-to-datestatus information or configuration information. As such, decoy 212 maybe configured to output an alert or cause an interrupt at cyber-physicalsystem 200 to indicate to a security administrator that decoy 212 hasreceived input, potentially from an attacker 214.

Decoy 212 may be a controller decoy that generates output to mimic how acontroller communicates with (and in some cases controls) othercomponents or devices of cyber-physical system 200. Decoy 212 may followcontroller rules 224. Unlike a monitoring decoy, a controller decoy mayrequire more elaborate logic to mimic the different types of responsesthat a real controller can generate, particularly given a wide-varietyof operating conditions. For example, a controller typicallycommunicates with multiple devices, whereas a single device may onlycommunicate with a single controller. Therefore, controller rules 224may be dependent on a greater quantity of inputs than device rules 222,as controller rules 224 may need to account for more conditions orcharacteristics of cyber-physical system 200.

Decoy 212 may be configured as part a decoy data store. As decoy data,decoy 212 stores information in a memory or other type ofcomputer-readable media associated with cyber-physical system 200 thatis meant to be accessed by an attacker, such as attacker 114. Decoy 212may store replica data associated with cyber-physical system 200, butnot actual data. Decoy 212 may execute data management rules 226 tomodify or adjust the replica data, to mimic how real data associatedwith cyber-physical system 200 changes over time given different systemcontexts or historical system conditions. The information retained bydecoy 212 may entice the attacker 214 that accesses decoy 212 so asecurity administrator can be alerted to the presence of the attacker214, and defend against the attack. Decoy 212 may mimic a datastructure, buffer, messaging system, or other data store associated withcyber-physical system 200.

Although the techniques of this disclosure are mostly described in thecontext of implementing “integrated deception” to handle a cyber-attack,there are other types of model-driven deception that can benefit fromthe described techniques. The techniques of this disclosure are equallyapplicable to other types of model-driven deception, including clonedeception and copy deception. One deception might be preferred overanother, as a function of the location of the deception in relation tothe real, cyber-physical system and the type of threat intended to becountered

Integrated deception places decoys within the real cyber-physical systemand the decoy model operates such that the decoy logically relates toreal data within the real system. For example, in a chemical process, adecoy could be generated that controls a fictional valve downstream thatcontrols a fictional flow to a decoy sensor.

Clone deception is when an exact replica of a cyber-physical system orportion thereof (i.e., a deceptive clone) is presented instead of thereal cyber-physical system to deceive an attacker that they areinteracting with components of the real cyber-physical system. Toimplement deceptive cloning, the cyber-physical system may require logicthat determines when a connection is likely associated with an attackerand not, so as to send the connection to the deceptive clone or to thereal cyber-physical system. Clone deception may be most suitable whenimplemented to protect part of a cyber-physical system that isassociated with access control mechanisms like virtual private network(VPN) connections or proxies where anomalous or bad authentication canbe forwarded to the deceptive clone instead of the real system.Deceptive cloning traps the attacker into a fictional world that isdirectly related to the real system, but instead of the real system, thefictional world is driven by a model built from observed data of thereal system. Only upon control or other altering interactions by theattacker is the projection of effect necessary.

In the example of FIG. 2 , training component 220 may generate rulesthat configure decoy 212 to operate as a deceptive clone ofcyber-physical system 200 that mimics historical observations ofcyber-physical system 200. If attacker 214 unsuccessfully tries toaccess cyber-physical system 200, cyber-physical system 200 may routethe connection through decoy 212 and allow attacker 214 to interact witha model trained to mimic cyber-physical system 200, without actuallyallowing the attacker 214 access any component of cyber-physical system200.

Copy deception is similar to clone deception. In copy deception however,multiple replicas of the real cyber-physical system are presented aspotential targets. Copy deception obfuscates the real cyber-physicalsystem by each executing an independent model of the real system model.The deceptive copies may execute unique models with clear differences,to further obfuscate which potential target is the real cyber-physicalsystem. Each deceptive copy can respond and react to interactionsindependently. Copy deception could be utilized in coordination withmoving target defense techniques like internet protocol (IP) addresshopping to further confuse an attacker.

Training component 220 may generate rules that configure decoy 212 tooperate as multiple deceptive clones of cyber-physical system 200, suchthat each mimic historical observations of cyber-physical system 200.When attempting to access cyber-physical system 200, decoy 212 maypresent interfaces into multiple, different cyber-physical systems,requiring attacker 214 to guess at which interface is the real interfaceinto cyber-physical system 200. Decoy 212 may allow attacker 214 tointeract with a model of a deceptive copy that is trained to mimiccyber-physical system 200, without actually allowing attacker 214 accessto any component of cyber-physical system 200.

FIG. 3 is a conceptual diagram illustrating an example decoy fordistracting an attacker of a cyber-physical system, in accordance withthe techniques of this disclosure. FIG. 3 illustrates decoy 312. Decoy312 is an example of any one of decoys 112 and 212 from FIGS. 1 and 2 .

To provide sufficient fidelity, system model 110 and system model 210may generate decoy 312 by adhering to certain requirements. Systemmodels 110, 210 may generate decoy 312 to reflect the physicalproperties or physics behind a real cyber-physical system. For instance,by learning the physics behind changes to different parts ofcyber-physical system 200, system model 210 may create decoy 312 whichproduces realistic variable data that mimics similar variable dataproduced by an actual component of cyber-physical system 200. Systemmodels 110, 210 may generate decoy 312 dynamically and the underlyingphysics models that system models 110, 210 executes automatically adjustto support additional components. Instead of sandboxing decoy 312 tooperate independently, system models 110, 210 may cause decoy 312 toappear integrated into the real cyber-physical system by communicatingwith other decoys or with other components of the real cyber-physicalsystem. By generating decoys in this way, decoy 312 may execute logicthat closely resembles an actual, tempting and easy-to-exploit target ofthe cyber-physical system.

Decoy 312 includes three main attributes that interact with neuralnetworks 333, including a protocol attribute, a logical attribute, and avariable attribute that all interact to support operations of one ormore underlying neural networks 333. Each of these attributes definesthe characteristics and behavior that neural network 333 follows, whenimitating part of the cyber-physical system. To deceive potentialattackers, decoy 312 may perform some functions that make decoy 312appear as if it were a real device operating in a real cyber-physicalenvironment. For example, devices in a real cyber-physical system, suchas devices 102 of cyber-physical system 100, communicate according toone or more network protocols with controllers 104 and other parts ofcyber-physical system 100. In addition, the devices 102 typicallycontrol or monitor a set of variables, and the devices 102 typicallyperform actions based on a set of logic. To be effective, system models110, 210 cause decoy 312 to do the same. By dividing decoy 312 into aprotocol attribute, a logical attribute, and a variable attribute,system models 110, 210 can simplify the decoy generation process. Asecurity administrator may in some examples, define the attributes ofdecoy 312 and provide input to system models 110, 210 to cause decoy 312to be deployed.

The decoy 312 illustrated in FIG. 3 includes three main components thatinteract with neural networks 333, including: protocol module 330,variable module 334, and logic module 332. Modules 330 through 334 maybe components of decoy 312 that communicate or otherwise shareinformation to enable decoy 312 to execute a realistic deception. Forexample, modules 330, 332, and 334, as well as neural networks 333 mayinteract via direct messaging communications, or by sharing informationthrough a database (e.g., by reading and writing data to and fromspecific locations in the database).

Protocol module 330 represents a portion of decoy 312 that simulatescommunication between decoy 312 and other decoys and components of areal cyber-physical system. Some components of cyber-physical systemscommunicate according to multiple different communication protocols, forinstance, depending on the domain of the communication. For example,controller 104A of cyber-physical system 100 may communicate accordingto a first messaging scheme or protocol to communicate a first set ofcontrol signals to device 102A and may communicate according to adifferent messaging scheme or protocol to communicate a second set ofcontrol signals to device 102N.

Protocol module 330 may be trained to generate and respond tocommunications. Protocol module 330 may be trained to adapt thefrequency and structure of communications to generate network trafficthat is purposeful. For instance, decoy 312 may be deployed to protect abuilding automation system. Protocol module 330 may cause decoy 312 togenerate network communications (e.g., decoy data 112C or other decoycommunications) that is not random or incoherent. Protocol module 330may create and output network communications or so-called decoycommunications that appear to facilitate an actual process. Protocolmodule 330 may select an appropriate communication protocol depending ona type of decoy communication or variable associated with the decoycommunication.

Variable module 334 maintains a set of variables related to the physicalprocess being emulated by decoy 312. Variable module 334 may maintainrecords of information that decoy 312 simulates as being monitored orcontrolled. Examples of variables maintained by variable module 334 mayinclude temperature, voltage, current, wattage, flow rate, capacity,humidity, or any other attribute of a cyber-physical system that decoy312 simulates to control. Variable module 334 may maintain variablesthat are associated with the logic and protocols associated with modules330 and 332. For example, variable module 334 might be a temperaturevariable associated with cyber-physical system 100 when decoy 312 isemulating a valve for controlling fluid flow and variable module 334 mayinstead maintain a voltage or current variable, as opposed to thetemperature variable, when decoy 312 is emulating a switch forcontrolling electricity flow.

Decoy 312 may produce input and/or output. Variable module 334 maygenerate variables or extrapolate variables received from other parts ofa cyber-physical system. Variable module 334 of decoy 312 may exchangevariables, via protocol module 330, with other decoys. A variable thatis an output of one decoy device can be read by another device using thenetwork protocol associated with those devices. This interactiongenerates traffic on the network and adds to the realism of thedeception. For example, decoy 312 may monitor air temperature andanother decoy could query that temperature periodically to control airflow.

Logic module 332 directs the operation of decoy 312. Logic module 332 isconfigured to implement functions for supporting communicationsgenerated by protocol module 330 based on information managed byvariable module 334. For example, programmed as a decoy HVAC controller,logic module 332 may simulate control of a fan in an HVAC system bydetermining when to generate control signals that a real controllerwould output to regulate airflow. Logic module 332 may monitor avariable maintained by variable module 334 that is associated with areal or simulated temperature sensor, and may cause protocol module 330to simulate controlling the fan, depending on whether the variablereaches a particular temperature threshold.

FIG. 4 is a flow-chart illustrating example operations performed inresponse to a cyber-attack by a cyber-physical system and an integrateddecoy, in accordance with the techniques of this disclosure. Operations450 through 460 of FIG. 4 may be performed in a different order thanwhat is shown in FIG. 4 and may be performed with additional or fewersteps than what is shown in FIG. 4 . FIG. 4 is described in the contextof system model 210 of FIG. 2 . For example, one or more processors of acomputer that are communicatively coupled to, or integrated into,cyber-physical system 200. The one or more processors execute operationsattributed to system model 210 and decoy 212 by executing instructionsfor performing operations 450 through 460.

In operation, system model 210 may collect information about acyber-physical system (450). For example, training component 220 ofsystem model 210 may collect sensor readings, control signals, networktraffic, and any other information that training component 220 can inferfrom monitoring cyber-physical system 200, over time.

System model 210 may train a model based on the information to simulateat least a portion of the cyber-physical system (452). For example,training component 220 may generate one or more rules 222 through 228 topredict future sensor readings, future control signals, future networktraffic, and other future information related to cyber-physical system200 for a variety of conditions. As a simple example, training component220 may generate a device rule of rules 222 that predicts a particulartemperature value or reading if one or more conditions associated withcyber-physical system 200 (e.g., time of day or other sensor reading) issatisfied. In this way, system model 210 may generate decoys 212 thatfollow rules 222 through 228 to mimic how actual components ofcyber-physical system 200 may perform if interrogated by an attacker.

System model 210 may deploy a decoy within the cyber-physical systemthat executes operations according to system model 210 (454). Forexample, system model 210 may generate decoy 212 as a dragnet forcatching future attackers of cyber-physical system 200. Decoy 212 mayexecute according to rules 222 through 228 generated by system model210. To an untrained or uneducated observer of cyber-physical system200, decoy 212 may appear to perform operations that are similar tooperations performed by a device or controller of cyber-physical system200. For example, attacker 214 may send a signal or message to decoy 212to verify attacker 214 has access to cyber-physical system 200.

In some examples, system model 210 may deploy decoy 212 dynamically. Forexample, decoy 212 may be dynamically deployed to intercept a suspectinput signal in response to detecting the suspect input signal atcyber-physical system 200. That is, cyber-physical system 200 may detectare input signal to a controller or device and rather than output anerror to the sender of the input signal, system model 210 mayautomatically generate decoy 212 to handle the input signal and keep thesender distracted while cyber-physical system 200 can perform otherdefense measures.

System model 210 may detect an unexpected signal or incomingcommunication to the decoy (456). For example, decoy 212 may beconfigured to communicate with one or more other decoys or otherHoneyShills of cyber-physical system 200, however the existence of decoy212 may not be apparent except through malicious intrusions tocyber-physical system 200. In other words, only a security administratoror other user of cyber-physical system with sufficiently high privilegesmay be aware of where system model 210 has deployed decoy 212. Othercomponents of cyber-physical system 200, for instance while acting as aHoneyShill, may be aware of decoy 212 if the security administrator orother user programs the other components to be aware of decoy 212. Inthis way, if system model 210 registers an attempted communication withdecoy 212, system model 210 or decoy 212 itself, may trigger an alarm asthe attempted communication is likely an attack. For example, acontroller of cyber-physical system 200 may detect an attemptedcommunication with decoy 212 and determine that decoy 212 is registeredas a decoy with cyber-physical system 200.

In response to detecting the unexpected signal (456), system model 210and/or the decoy, may output an alert to the cyber-physical system thatis indicative of a possible attack at the decoy (458A). For example,system model 210 and/or decoy 212 may trip an interrupt or send acommunication to a UI/UX component or modify a network log, to recordthe unexpected signal.

Further in response to detecting the unexpected signal (456), systemmodel 210 and/or the decoy, may implement a deception that causes thedecoy to handle the signal or incoming communication by mimicking how acomponent of the cyber-physical system would handle the signal orincoming communication (458B). For example, decoy 212, after triggeringan alarm, may attempt to keep a potential attacker distracted byexchanging information with the attacker, in ways that a device orcontroller of cyber-physical system 200 would, if communicating with theattacker. Logic executing as part of decoy 212 may generate dynamicresponses to attacker inquiries, and may include information in theresponses that changes, as expected, according to the modeled physics ofcyber-physical system 200.

Cyber-physical system 200 may perform an action in response to thepossible attack (460). For example, cyber-physical system 200 mayattempt to identify an attacker, or enable various active, defensivemeasures to prevent the attacker from gaining access to or causingdamage to cyber-physical system 200. As one example, cyber-physicalsystem 200 may record an IP address of attacker 214 and add the IPaddress to a blacklist of authorized remote users.

While various preferred embodiments of the disclosure are described inthe foregoing description and shown in the drawings, it is to bedistinctly understood that this disclosure is not limited thereto butmay be variously embodied to practice within the scope of the followingclaims. From the foregoing description, it will be apparent that variouschanges may be made without departing from the spirit and scope of thedisclosure as defined by the following claims.

What is claimed is:
 1. A method comprising: generating a plurality ofexamples for a training data set, where generating the examples in thetraining data set comprises receiving example historical informationabout a cyber-physical system; and training a system model using thetraining data set to generate a decoy, the decoy configured to generatean expected output given a particular set of inputs, where the inputs tothe decoy comprise a current system context of the cyber-physical systemand an inquiry into the decoy by a potential attacker, and where theexpected output of the decoy comprises a generated synthetic output thatmimics historical outputs generated by the cyber-physical system for agiven historical system context, where the generated synthetic output isbased on one or more system rules, the system rules generated whentraining the system model and based on historical changes to attributes,characteristics, variables, or state information about conditions ofphysical processes performed by the cyber-physical system.
 2. The methodof claim 1, wherein receiving example historical information about thecyber-physical system comprises at least one of: receiving examplehistorical system contexts of the cyber-physical system; receivingexample historical inputs to the cyber-physical system; or receivingexample historical outputs generated by the cyber-physical system. 3.The method of claim 1, wherein receiving example historical informationabout the cyber-physical system comprises: receiving example historicalsystem contexts of the cyber-physical system, the historical systemcontexts comprising at least one of: a historical system condition ofthe cyber-physical system; a historical state of the cyber-physicalsystem; a historical operating condition of the cyber-physical system;or a historical characteristic of the cyber-physical system.
 4. Themethod of claim 1, wherein receiving example historical informationabout the cyber-physical system comprises: receiving example historicalinputs to the cyber-physical system, the historical inputs comprising atleast one of: a historical input from an operator of the cyber-physicalsystem communicating with components of the cyber-physical system; ahistorical input from a controller of the cyber-physical systemcommunicating with components of the cyber-physical system; or ahistorical input from a device of the cyber-physical systemcommunicating with components of the cyber-physical system.
 5. Themethod of claim 1, wherein receiving example historical informationabout the cyber-physical system comprises: receiving example historicaloutputs generated by the cyber-physical system, the historical outputscomprising at least one of: operational data generated by components ofthe cyber-physical system; or sensor data generated by a sensor of thecyber-physical system.
 6. The method of claim 1, wherein the generatedsynthetic output comprises a predicted future condition of at least aportion of the cyber-physical system.
 7. The method of claim 1, whereinthe generated synthetic output simulates a functionality of at least aportion of the cyber-physical system.
 8. The method of claim 1, whereintraining the system model using the training data set to generate thedecoy further comprises: configuring the decoy to execute logic forcreating decoy data to mimic an expected output from another componentof the cyber-physical system for a given system context.
 9. The methodof claim 1, further comprising: training the system model using thetraining data set to detect an input signal indicative of an attempt bythe potential attacker to gain access to or gain control over thecyber-physical system.
 10. The method of claim 9, further comprising:training the system model using the training data set to, responsive todetecting an input signal indicative of an attempt by the potentialattacker to gain access to or gain control over the cyber-physicalsystem, perform operations of: output an alert to the cyber-physicalsystem indicative of a possible attack.
 11. The method of claim 10,further comprising: training the system model using the training dataset to, responsive to detecting an input signal indicative of an attemptby the potential attacker to gain access to or gain control over thecyber-physical system, perform operations of: respond to the inputsignal by simulating a functionality of at least a portion of thecyber-physical system to distract the potential attacker.
 12. The methodof claim 10, further comprising: training the system model to,responsive to detecting an input signal indicative of an attempt by thepotential attacker to gain access to or gain control over thecyber-physical system, perform operations of: respond to the inputsignal by simulating a functionality of at least a portion of thecyber-physical system to distract the potential attacker.
 13. A methodcomprising: receiving a system context of a cyber-physical system;applying a system model to the system context, where the system model istrained to generate an interrogatory response to a received inquiry thatmimics historical outputs generated by the cyber-physical system for agiven system context; receiving an inquiry into the system model by apotential attacker; obtaining from the system model a synthetic outputthat mimics how a component of the cyber-physical system would respondto the inquiry given the system context, where the synthetic output isbased on one or more system rules, the system rules generated whentraining the system model and based on historical changes to attributes,characteristics, variables, or state information about conditions ofphysical processes performed by the cyber-physical system; and providingthe synthetic output to the potential attacker.
 14. The method of claim13, wherein the synthetic output: comprises a predicted future conditionof at least a portion of the cyber-physical system; or simulates afunctionality of the at least a portion of the cyber-physical system.15. The method of claim 13, wherein the system context comprises atleast one of a system condition, a state, an operating condition, or acharacteristic of the cyber-physical system.
 16. The method of claim 13,wherein applying the system model further comprises: generating a decoy,the decoy configured to execute logic for creating decoy data to mimican expected output from another component of the cyber-physical systemfor a given system context.
 17. The method of claim 13, wherein thesynthetic output comprises at least one of: a future sensor reading; afuture control signal; or future network traffic.
 18. The method ofclaim 13, wherein the synthetic output is configured to mimic ahistorical output generated by the cyber-physical system in response toan historical inquiry received by the cyber-physical system.
 19. Themethod of claim 13, wherein the synthetic output is configured to mimichow a component of the cyber-physical system would respond tointerrogation from the potential attacker, given a particular systemcontext.
 20. The method of claim 13, further comprising: training thesystem model to detect an input signal indicative of an attempt by thepotential attacker to gain access to or gain control over thecyber-physical system.
 21. The method of claim 20, further comprising:training the system model to, responsive to detecting an input signalindicative of an attempt by the potential attacker to gain access to orgain control over the cyber-physical system, perform operations of:output an alert to the cyber-physical system indicative of a possibleattack.